[Python-ideas] Secure string disposal (maybe other inmutable seq types too?)

Guido van Rossum guido at python.org
Fri Jun 22 21:30:35 EDT 2018

A wipe() method that mutates a string while it can still be referenced
elsewhere is unacceptable -- it breaks an abstraction that is widely

Chris's proposal can be implemented, it would set a hidden flag. Hopefully
there's room for the flag without increasing the object header size.

On Fri, Jun 22, 2018 at 5:46 PM Chris Angelico <rosuav at gmail.com> wrote:

> On Sat, Jun 23, 2018 at 10:31 AM, Ezequiel Brizuela [aka EHB or
> qlixed] <qlixed at gmail.com> wrote:
> >   I propose to make the required changes on the string objects to add an
> > option to overwrite the underlying buffer. To do so:
> >
> >   * Add a wiped as an attribute that is read-only to be set when the
> string
> > is overwrited.
> >   * Add a wipe() method that overwrite the internal string buffer.
> Since strings are immutable, it's entirely possible for them to be
> shared in various ways. Having the string be wiped while still
> existing seems to be a risky approach.
> > So this will work like this:
> >
> >>>> pwd =getpass.getpass('Set your password:') # could be other sensitive
> >>>> data.
> >>>> encrypted_pwd = crypt.crypt(pwd)  # crypt() just as example.
> >>>> pwd.wiped  # Check if pwd was wiped.
> > False
> >>>> pwd.wipe()  # Overwrite the underlying buffer
> >>>> pwd.wiped  # Check if pwd was wiped.
> > True
> >>>> print(pwd)  # Print noise (or empty str?)
> >>>> del pwd  # Now is in hands of the GC.
> Would it suffice to flag the string as "this contains sensitive data,
> please overwrite its buffer when it gets deallocated"? The only
> difference, in your example, would be that the last print would show
> the original data, and the wipe would happen afterwards. Advantages of
> this approach include that getpass can automatically flag the string
> as sensitive, and the "sensitive" flag can infect other strings (so
> <<pwd + "x">> would be automatically flagged to be wiped). Downside:
> You can't say "I'm done with this string, destroy it immediately".
> ChrisA
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180622/151b889f/attachment.html>

More information about the Python-ideas mailing list